Apr 21, 2026
UAE crypto custody: comparing DIFC, ADGM and VARA Dubai
Three Emirati regimes, three different theories of supervision. We unpack how the regulators differ on safekeeping rules, client asset segregation and capital — and where each makes sense depending on your operating model.

DIFC, ADGM, and VARA all support crypto custody projects, but each regime asks different questions about safekeeping, outsourcing, segregation, insurance, and key management. Treating the three as interchangeable "UAE options" is the most common scoping mistake we see — they are three different regulators with three different theories of what custody supervision is for, and the right choice is decided by the client base and operating model, not by brand preference for an emirate.
The map: three regulators, three perimeters
- DIFC — the Dubai International Financial Centre, a common-law financial free zone supervised by the DFSA. Crypto activity runs under the DFSA's crypto token regime, layered onto a mature securities-style rulebook with two decades of supervisory practice behind it.
- ADGM — Abu Dhabi Global Market, also common law, supervised by the FSRA. The FSRA published the region's first comprehensive virtual-asset framework in 2018 and has the longest supervisory track record with crypto custodians in the Gulf.
- VARA — Dubai's Virtual Assets Regulatory Authority, an emirate-level regulator created by Dubai law in 2022 for virtual asset activity in Dubai outside the DIFC. VARA licences by activity — custody among them — under rulebooks written for virtual assets from scratch rather than adapted from securities regulation.
Two more layers complete the federal picture and prevent expensive surprises. The federal Securities and Commodities Authority regulates virtual asset activity onshore outside Dubai, with a coordination arrangement covering VARA's emirate. And the central bank's payment token rules pull fiat-referenced stablecoin issuance and payment-token services into their own regime — a custody business touching payment stablecoins should perimeter-check that layer separately.
A custody business physically operating from Dubai chooses, in effect, between the DFSA and VARA; an Abu Dhabi base points to the FSRA. Target clients matter as much as geography: institutional mandates with conservative counterparties tend to value the common-law free zones and their familiar legal infrastructure, while VARA reaches the broader Dubai market and pairs naturally with exchange and brokerage activity under one local regulator.
What "custody" means in each rulebook
The word covers the same economic activity — holding clients' virtual assets or the means of access to them — but the regulatory texture differs.
ADGM (FSRA)
The FSRA framework is the most prescriptive on operational detail. Expectations around cold and hot wallet arrangements, withdrawal controls, address whitelisting, reconciliation cadence, and incident handling are explicit in guidance, and supervisors examine against them rather than treating them as aspirations. Client assets are held on trust-like terms with clear books-and-records duties, and the firm's operational competence — not just its policies — is tested at authorisation through walkthroughs and, commonly, demonstrations of the wallet architecture.
The FSRA also thinks in portfolio terms about the whole virtual-asset framework: custody sits alongside its exchange and intermediary regimes, and a custodian serving FSRA-licensed venues inherits interface expectations — settlement finality, segregation attestations — from that ecosystem.
DIFC (DFSA)
The DFSA leans on its existing client-asset architecture, adapted to tokens. The questions are recognisably those a securities custodian would face — title and how it is evidenced, prohibition on use of client assets, rehypothecation restrictions, third-party sub-custody due diligence, client disclosures — applied to wallet infrastructure. The regime also runs a recognition approach to the tokens themselves: which crypto tokens may be used in the centre is a regulatory question, not a commercial one, and the custody offering has to track that list.
Firms with traditional custody DNA tend to find the DFSA file familiar; crypto-native teams tend to underestimate how much securities-style discipline — corporate governance, audit, client documentation — the rulebook imports.
VARA
VARA's custody rulebook is activity-specific and operationally minded: key generation ceremonies, sharding and multi-signature arrangements, personnel screening for key holders, segregation of client virtual assets, incident and breach reporting are addressed directly in the custody services rulebook, supplemented by VARA's compulsory rulebooks on governance, compliance, and technology that apply across all licensed activities.
VARA expects local substance — the custody operation itself, not just a sales office, in Dubai — and its supervision style is iterative: licence conditions, staged approvals, and operational launch gates are common, which rewards applicants who plan the dialogue rather than expecting a single yes.
Safekeeping and segregation: the common core
All three regimes converge on principles a client or counterparty can rely on:
- Client virtual assets segregated from the firm's own assets, identifiable at all times.
- Protection against the firm's insolvency — trust or trust-like arrangements, with documentation that makes the client's claim legible to a court.
- Books and records reconciling client entitlements to on-chain holdings, with a cadence the regulator can inspect.
- No use of client assets for the firm's own account absent explicit, regulated arrangements.
Where they diverge is texture and verification: the FSRA verifies operations prescriptively, the DFSA verifies through its client-asset audit tradition, VARA verifies through staged approvals and rulebook-by-rulebook compliance attestations.
Key management and outsourcing
The technical custody question — who holds the keys, where, and under what controls — is supervised differently but examined everywhere:
- Self-custody technology (HSMs, MPC, multi-sig) is acceptable in all three regimes, but the firm must demonstrate competence in-house: named key holders, rehearsed ceremonies, documented recovery, tested failover. A vendor contract is not competence.
- Sub-custody and technology outsourcing are permitted with due diligence, ongoing oversight, audit and access rights, and exit plans. The FSRA and DFSA apply their general outsourcing rules on top of crypto-specific expectations; VARA addresses outsourcing within its rulebooks directly.
- Across all three, liability stays with the licensed custodian. An outsourcing arrangement drafted as liability transfer will be sent back, and the redraft costs a question round.
A practical pattern from delivered files: regulators respond well to a key-management chapter written as an operations manual — ceremony scripts, quorum tables, compromise playbooks — and poorly to one written as a vendor brochure.
Insurance and financial resources
Expect questions about insurance or equivalent loss-absorbing arrangements for custodied assets in all three regimes. The depth varies with the wallet architecture's risk profile: deep cold storage with tight quorums draws lighter questions than warm infrastructure serving high-frequency withdrawals. The available insurance market remains thin and priced accordingly — terms, exclusions, and sub-limits deserve as much diligence as the premium, and regulators read the policy, not the press release about it.
Capital requirements scale with activity and expenses rather than sitting at a single headline figure across the three regimes. The realistic budgeting exercise is the financial model reviewed against the chosen regulator's prudential rules — expense-based components, activity add-ons, liquid-assets expectations — not a number lifted from a comparison table. Build the model first; the capital answer falls out of it.
Choosing between them
- Choose ADGM when supervisory track record with custody and a prescriptive, predictable rulebook matter most — the typical institutional custody play, especially where counterparties will diligence the regulator as much as the firm.
- Choose DIFC when the offering sits next to securities-style services, the client base lives in DIFC's institutional ecosystem, or the group already operates DFSA-licensed business.
- Choose VARA when the business is Dubai-facing, broader than custody alone — exchange, brokerage, staking adjacencies — or when pairing retail reach with local substance under one regulator is the strategy.
Cost and timeline are comparable enough that they should not drive the decision alone; the deciding inputs are client expectations, adjacent activities, and where the team will genuinely operate.
Common mistakes in UAE custody files
- Choosing the regulator by prestige rather than by client base, then discovering the rulebook fits the model poorly.
- Treating the three regimes as one "UAE licence" in board papers and investor decks — the perimeter analysis unravels in diligence.
- Filing with a custody policy written by lawyers alone. The regulators read for operations: ceremonies, quorums, reconciliations, recovery.
- Ignoring the federal layers — SCA coordination and central-bank payment-token rules — until a product feature crosses into them.
- Underestimating substance: all three expect the operation, including key management personnel, where the licence lives.
Application anatomy: what all three regulators ask for
The chapter list is recognisably similar across DFSA, FSRA, and VARA files, even where the rulebooks differ:
- Regulatory business plan: the custody offering, client segments, asset coverage, and the revenue model — with the conflicts implications of any adjacent trading activity addressed rather than avoided.
- Ownership and governance: the chart to natural persons, source of capital, board composition, and the senior-management map with named individuals for compliance, risk, MLRO, and technology.
- The custody operations chapter: wallet architecture end to end — key generation, storage tiers, quorum tables, movement authorisation thresholds, whitelisting, reconciliation cadence, incident and compromise playbooks, recovery procedures with test evidence.
- Client asset framework: the legal model of holding (trust or trust-like), client disclosures, segregation mechanics, and the books-and-records design that lets an auditor tie client entitlements to on-chain holdings.
- Technology and security: penetration testing, vendor due diligence, change management, business continuity with recovery objectives, and — increasingly — evidence the firm has rehearsed the failure modes it lists.
- Financial resources: the capital computation under the chosen regime's rules, with projections and the stress case.
- AML/CFT: programme, tooling, travel-rule implementation, and the analytics evidence for the firm's own exposure management.
The single most effective preparation across all three: an internal dry-run where someone outside the project walks the custody chapter against the actual systems. Regulators in this region do exactly that, sometimes literally asking to observe a transfer ceremony.
From licence to first client asset: the launch gate
All three regulators separate authorisation from operational launch in practice, and the gap is where optimistic project plans go to die:
- Conditions precedent: licences commonly arrive with conditions — final policies, completed hires, insurance bound, systems attestations — that must be discharged before the first client asset moves.
- Banking and fiat rails: the custody licence does not open bank accounts. The fiat leg — onboarding deposits, paying out redemptions — needs its own institution willing to serve a UAE crypto custodian, and that search runs in parallel from project start.
- Auditor appointment: client-asset audit arrangements are expected at or near launch, and the audit firm's own onboarding of a crypto custodian takes longer than teams assume.
- Insurance binding: terms agreed in principle during the application harden slowly into bound policies; regulators read the binder, not the term sheet.
Realistic planning treats authorisation-to-launch as a discrete two-to-four-month phase with its own owner.
Costs to budget beyond the licence fee
- Application and annual supervision fees, which differ by regulator and activity set but are rarely the largest line.
- The custody technology stack: HSMs or MPC platform licences, analytics tooling, monitoring — annual costs that rival senior salaries.
- Insurance premiums for custodied assets, priced to the architecture's risk profile, with the thin market's terms.
- The local team: key management personnel, compliance, MLRO, and technology presence where the licence lives — the substance expectation translated into payroll.
- Audit: client-asset and financial audits from firms comfortable signing crypto custody opinions, at the prices that comfort commands.
Across delivered files the standing operational cost dwarfs the regulatory fees within the first year. The licence is the gate; the operation is the cost — and, properly run, the moat.
Questions clients ask
Can one licence cover the whole UAE?
No. DIFC and ADGM licences cover activity in and from their respective centres; VARA covers Dubai outside DIFC; the SCA covers the rest onshore. Groups serving multiple footprints structure accordingly — typically one operating hub plus distribution arrangements.
Do we need separate licences for custody and exchange?
Licensing is activity-based in all three regimes. Custody alongside exchange or broker-dealer activity means multiple activity authorisations — usually within one firm and one application, but each activity examined on its own rulebook.
How long does authorisation take?
Plan in months, not weeks: realistic end-to-end paths run six to twelve months depending on the regulator's queue, the file's completeness, and how quickly the firm answers questions. VARA's staged model can put a conditional licence in hand earlier, with operational launch gated on final approvals.
Which regime do institutional clients prefer?
Mandates with conservative LPs and global banks as counterparties tend to favour ADGM and DIFC for the common-law wrapper and supervisory familiarity. Dubai-centric and retail-adjacent businesses tend to fit VARA. The honest answer is to ask the three largest target clients which regulator shortens their diligence — and file there.
In every case the regulator will want to see an operator: named key holders, rehearsed ceremonies, tested recovery, real reconciliation. The jurisdictions differ; that expectation does not.
A ready-made ADGM Category 3A entity
An FSRA-licensed Category 3A company, transfer-ready — the regulated wrapper for a Gulf custody or brokerage build.
Editorial disclaimer
This article is general information only and is not legal, regulatory, tax, investment, or financial advice.
Need this guide turned into a decision?
Send SKY7 the product model, customer geography and launch timing. You get a route memo back: two or three workable jurisdictions, the capital and timeline for each, and which file we would open first.
Rashid Al-Mansouri
Rashid advises on DIFC, ADGM, VARA and wider UAE virtual-asset licensing routes for custody, exchange, brokerage and payment models. He tracks free-zone substance, local governance, bankability and regulator engagement so founders can compare Dubai and Abu Dhabi options before choosing an entity or filing path. His writing connects licensing scope with office setup, senior management substance, banking introductions and ongoing compliance calendars, helping teams distinguish a marketable UAE structure from one that can actually withstand onboarding and supervisory review.
Related licences